Apple Fails to Inform AV Providers About New Malware Threat

Months after a group of cyber-spies was uncovered, security researchers have reported that its macOS malware continues to operate undetected by antivirus providers.

The digital espionage operation, called Windshift, spies on government agencies, critical infrastructure companies, and individuals in the Middle East. The APT (“advanced persistent threat”) remained hidden for at least two years until a few months ago, when a DarkMatter researcher exposed the operation to the public at a conference in Singapore.

From what is known, Windshift is a very stealthy and methodical operation that attacks targets over the course of a year. The agents create fake social media profiles in order to befriend and collect personal information about individuals. They then use the user credentials to infect devices with malware.

If they are unsuccessful, Windshift hackers will wait up to half a year before redoubling their efforts. What also sets Windshift apart is their usage of Mac malware in order to bypass macOS defenses and infiltrate personal computers.

Since its discovery, security experts have found most antivirus providers still do not detect the macOS malware (with the exception of Kaspersky and ZoneAlarm), Ars Technicareports.

Mac security researcher Patrick Wardle explains that this means Apple failed to properly notify antivirus providers about the malware so that they could detect and identify it as malicious. He writes:

“The fact that the signing certificate(s) of all the samples are revoked (CSSMERR_TP_CERT_REVOKED) means that Apple knows about this certificate… and thus surely this malware as well… yet the majority of the samples (3, of 4) are detected by zero anti-virus engines on VirusTotal. Does this mean Apple isn’t sharing valuable malware/threat-intel with AV-community, preventing the creation of widespread AV signatures that can protect end-users?! 🤔Narrator: yes”.

The threat presented by Windshift’s malware has diminished significantly since Windshift’s control server has been taken offline. This means that even those infected with macOS malware are not being actively surveilled. Yet the lack of communication between Apple and others in the AV community is disconcerting and unnecessarily risky.

“I think [the lack of detections] highlights that traditional AV struggles with new/APT malware on macOS… but also Apple’s hubris,” Wardle said to Ars Technica. “We’ve seen them do this before 🙁 It’s disheartening, and somebody needs to call them out on it.”